[rsyslog-notify] Forum Thread: Re: omudspoof and ASA - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Tue Feb 25 11:27:42 CET 2014
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24255#p24255
Message:
----------
the rsyslog that is nearest to the defective SIEM is the one that needs to
do the spoofing, but the ones that send the logs to that rsyslog do not
need to spoof. This does mean you need a slightly different configuation
(you don't spoof based on fromhost-ip, you spoof on some other value that
you put in the log messsage)
for example, your relays could log with the format
<%PRI%>%timestamp% %fromhost-ip% %syslogtag%%msg%
this is a perfectly valid log, with an IP address in the hostname field
Then when you spoof, you can use %hostname% where the example uses
%fromhost-ip%, and it will work, even several relays later.
The other thing you could do is to send your logs in a JSON/CEE compatible
format, and then you would have lots of other data available to all your
tools (except for this defective SIEM, where you would end up throwing that
other data away in order to avoid confusing it)
More information about the rsyslog-notify
mailing list